PWS:Win32/Zbot.gen!R is a password-stealing trojan that may arrive in the system as a spammed email purporting to be an airline e-ticket or a network settings change notification.
Installation
PWS:Win32/Zbot.gen!R may arrive in the system via a spammed email, for example:
===
From: <tickets@nwa.com> (note that this address is spoofed)
To: <recipient email address>
Subject: E-ticket #4958701247
Attachment: Your_ETicket.zip (note that when unzipped, this file becomes Your_ETicket.exe and is detected as PWS:Win32/Zbot.gen!R)
Body:
Hello!
Thank you for using our new service "Buy Northwest Airlines ticket Online" on our website.
Your account has been created:
Your login: recipient e-mail address
Your password: pass5OB1
Your credit card has been charged for $424.02.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Cheri Mckenna
Northwest Airlines
===
Body:
Dear user of the <company> mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (<user>@<company>) settings were changed. In order to apply the new set of settings click on the following link:
<link to a copy of PWS:Win32/Zbot.gen!R>
===
Note that the emails are fake and are not sent out by any airline or mailing service.
Upon execution, PWS:Win32/Zbot.gen!R then drops a copy of itself in the system as "<system folder>\twex.exe". It then modifies the system folder so that its dropped copy automatically runs every time a user logs in:
Modifies value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\twex.exe,"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Steals Information
PWS:Win32/Zbot.gen!R attempts to steal the following sensitive information from the system:
- Certificates
- Cached passwords
- Cookies
It also creates the following encrypted log file, in which it presumably writes all stolen data:
<system folder>\twain_32\user.ds
It then attempts to connect to the IP address "91.211.65.33" for additional instructions from a remote attacker.
Analysis by Francis Allan Tan Seng